Re: Writing Secure code[update]

Rahul Chander Kashyap wrote:

>First of all i'm thankful to all for responding to my query. Well this shows
Safety standards. They sound great: specify a standard, have everyone follow it, and we'll have far fewer problems.

The problem is that the standard must be *effective*. Safety standards in other engineering disciplines are only implemented after it is *very* well understood what cookbook recipe a competent engineer should follow when designing a steam boiler, bridge, skyscraper, etc. such that it will not fall down.

We cannot specify a cook book for programmers to follow to write secure code, because we do not know what such a cook book should say. Prematurely specifying a security programming standard would be disasterous, for several reasons:

• Unrealistic expectations: lay people will believe the hype, and expect standard-following code to be secure, and then regret it when they get hacked anyway.
• Poor uptate: users starting to notice that the standard doesn't work will fail to pay the price premium for standard-following products.
• Contempt: developers who know that the standard doesn't work will be contemptuous of it, and refuse to follow it.

With nearly everyone having such a negative view of the standard, it will substantially delay the adoption of standards that are actually effective when they eventually come along.

Oh wait! This has already happened: Orange Book, Common Criteria, and ISO 9000 are all standards that seek to do what you propose, they are all hugely expensive to propose, and none of them work. They have not been widely adopted, and one or two of us are a tad contemptuous of them :)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

So long as "writing secure code" is still a research problem, it should not be standardized.

So what can be done? We *do* have a bunch of good practice knowledge (the Saltzer and Schroeder paper
<http://web.mit.edu/Saltzer/www/publications/protection/index.html>, books <http://buildingsecuresoftware.com/>, and on-line resources <https://sardonix.org/Auditing_Resources.html>) and that knowledge is very poorly diffused into the general programmer population. *Education* is the key here: share these best practices with every programmer you can. If you are software educator, make sure your students are made aware of these issues.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      
http://wirex.com/~crispin/
Security Hardened Linux Distribution:       
http://immunix.org
Available for purchase: 
http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"